See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/378463041

MongoDB and NoSQL injection and prevention

Research · February 2024

DOI: 10.13140/RG.2.2.29434.67524

CITATIONS READS
0 844

1 author:

Omar Abuali
An-Najah National University
2 PUBLICATIONS 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Omar Abuali on 24 February 2024.

The user has requested enhancement of the downloaded file.

 MongoDB and NoSQL injection and prevention
Omar Muhannad AbuAli1
1
Network and Information Security, Najah National University
Abstract—With growing the use of NoSQL databases, like
MongoDB, and knowing the offered Features like handling large
amounts of data, the risk of NoSQL injection becomes a critical
concern. This paper explores the problems and vulnerabilities
that might face NoSQL databases. The study presents four
types of NoSQL injection attacks: Error-based, Union Query,
JavaScript injection, and Tautologies, also the paper represents
a practical example of a Tautologies attack on the OQSAP
Juice Shop, showing how the manipulation of product reviews
is done.To prevent these threats, the paper mentioned five
prevention methods: Web Application Firewall (WAF), User-side
validation, Parameterized queries, Express Mongo Sanitize, and
the Least-privilege model. Each method is discussed in detail for
its effectiveness and the drawbacks they could have, and how
security measures can affect the SW performance, moreover, the
paper introduces Server-side validation as a strong secondary
defense against NoSQL injection attacks. The findings show the
need for a multi-layered security approach, this would mix many
preventive steps to ensure a good defense against NoSQL injection
attacks. The real-life example highlights the successful use of
server-side validation to stop the tautologies attack. This gives a
useful example of good safety measures.
Index Terms—NoSQL Injection, MongoDB, Database security,
Open Web Application Security Project (OWASP), NoSQL In-
jection prevention methods
I. I NTRODUCTION
NoSQL, short for ”non-SQL or non-relational”, refers to a
category of database management systems that differ from tra-
ditional relational database systems in significant ways. These
systems are designed to handle large volumes of data and are
known for their flexibility, scalability, and high performance in
the current era of rapid technological advancement, there is an
increasing need for databases capable of managing the huge
data that companies deal with, so that is what NoSQL DBs
offer, organizations also using NoSQL databases like Amazon
DynamoDB, Cassandra, Manhattan, MongoDB. “According
to OWASP injection has the third position of the top 10
list in the most critical security risks to web applications.”
The NoSQL injection attack works when the web application
accepts input so the attacker can send a malicious query or
command to the database which could give him access to the
database then manipulate the data or drop tables also withdraw
sensitive data from the database, in this way can break the
integrity and confidentiality which is from the 3 principles of
information security, and with NoSQL database there is multi
types of attacks can performed, so in this paper we choose to
talk about four types of attacks and one has been implemented:
‚ Error-based
‚ Union Query.
‚ JavaScript injection
‚ Tautologies
And in the another hand there is different ways used or
suggested for prevent the NoSQL injections, in this paper we
discussed 5 of them:
‚ Web application firewall (WAF).
‚ User-side validation.
‚ parameterized queries.
‚ Express Mongo Sanitize.
‚ least-privilege model.
‚ Server-side validation.
The rest of the paper is organized as follows: the paper starts
with a literature review in section 2, then the attacks will be
listed and explained in section 3. Section 4 presents the pre-
vention methods being implemented and tested in some details
and illustrates the implementation results. Section 5 presents
a how security measures can affect the SW performance, then
results in Section 6, The paper is then ends with the conclusion
section.
II. LITERATURE REVIEW
A. MongoDB
MongoDB is an open-source database and one of many
NoSQL database system types identified as document- ori-
ented, MongoDB stores data in JSON format style, there are
many features of MongoDB, and the most important ones
are flexibility, scalability, and high-performance data dealing.
MongoDB is considered scheme-less which means that there
are no relations between the collections that store the data
inside. NoSQL databases are also used more in IoT because
provide an easy way to store this unstructured data. The
collection in MongoDB is a set of documents similar to the
normal table in the relational database. MongoDB uses port
27017 by default (Gupta, S. Singh, N. Tomar, D. 2018). And
here is an example of an insert statement in MongoDB and
a clear why injection with JSON structured query is more
difficult than SQL:
db.books.insert({title:‘NoSQL injection’
,author: ‘O. omar’})
B. NoSQL injection in MongoDB
NoSQL stores data in a complex way such as MongoDB
which stores data in JSON format type, due to that, the
attacker finds it harder to apply NoSQL injection compared
to the normal SQL injection which is known to most of the
users. anyway, it is not 100 percent safe as every system
can be compromised and hacked, however, systems with more
complex and protected security are harder to hack than normal
ones. There are many NoSQL injection attacks, and we will
discuss them in the next Section.
 III. N O SQL INJECTION ATTACKS
1) Error-based: In this injection, the attacker uses special
NoSQL characters such as ‘"\/$[].> ,then the attacker will
send them to the server and waits to check if the server returns
an error, and that’s how the attacker can know what version
and database being used in the website back-end based on the
errors that return from the servers.
2) Union Query: This attack is more commonly known
among users as a type of SQL injection attack, but it exists
here, it works when the attacker uses a vulnerable parameter
by exploiting it in order to change the returned dataset. There
are many uses of union queries, however, the most used ones
are authentication bypassing pages as well as data extraction,
still, when it comes to JSON query structure, it is difficult to
implement in NoSQL databases.
3) JavaScript injection: NoSQL databases introduced vul-
nerabilities that can allow JavaScript execution in the database,
resulting in compromising illegal data. The process of the
injection is applied by passing unsensitized user input to
the queries for injection, this is due to enabling compli-
cated transactions by JavaScript. There are some risks to
NoSQL features that the database presents, which are running
JavaScript execution in the database engines that may cause
a surface attack that is considered dangerous if the user input
field is unsensitized.
4) Tautologies: Here in this attack type which is our
practical side in this paper, the attacker uses the NoSQL
operates like $ne or $gt to make the query always return
true when it is sent to the server in this way he can bypass
the authentication like login pages and edit or extract data
from our server by injecting query statement return always
true(tautologies),
IV. N O SQL P REVENTION M ETHODS
NoSQL database as we mentioned it’s not completely
protected from security vulnerabilities, including NoSQL in-
jection. the NoSQL injection is a type of attack where the
attacker injects malicious code into NoSQL data, so in order
to prevent this type of attack it is importnant to implement the
following techniques:
1) Web application firewall: WAF short for (Web applica-
tion firewall), this type of firewall its works by filtering and
monitoring the HTTP traffic between web applications and
the internet to prevent attacks like Cross-site forgery, XSS,
file inclusion, and NoSQL injection, WAF serves as a kind of
reverse proxy that shields the server ensuring clients interact
with it before accessing the server, all this based on a set
of rules or policies which is designed to protect the server
from application vulnerabilities by filtering the harmful traffic,
based on (the OSI model) WAF is a protocol layer 7 which is
(application layer), that means is not capable to defend against
all type of attacks, also this method of mitigating attacks
typically constitutes an integral part of an exhaustive toolbox
that altogether gives a wide-ranging coverage against different
types of attack, but the ”Cons” of this type of prevention is:
‚ Bypassing.
‚ Requires careful configuration to be effective.
‚ Complex and Costly.
‚ False Positives
2) User-side validation: User validation refers to the pro-
cess when user input is checked by the browser without the
need to send it to the server which gives the user immediate
feedback without the need to refresh the page this is considered
an advantage, but the reason why we can’t rely on this type
of prevention because:
‚ It can bypass by altering the JavaScript code loaded in
your browser.
‚ Using tools like curl.
3) parameterized queries: parameterized queries are a pow-
erful tool for preventing injection attacks but there a drawback
to this type of prevention:
‚ Lack of Flexibility.
‚ Extra Development Time.
‚ Memory overhead.
The way how it works is by defining a NoSQL query structure
first and then passing parameters from the user later. In this
way, the developer ensures that an attacker cannot change the
intent of a query like inserting a NoSQL command into the
query parameters. This way makes it very hard for the attacker
to inject malicious code because the structure of the query has
been predefined, here is an example:
const filter = { name: omar };
const update = { $set: { age: 23 } };
// Update document matching the filter
const result = await
collection.updateOne(filter, update);
console.log(result);
4) Use Express Mongo Sanitize: Mongo sanitize plays a
middle-ware in the system to prevent the user from sending
any input without being sanitized before it is passed to the
server and gaining unauthorized access to sensitive data, this
module works by searching for any keys in the user input
that begin with $ sign or contain a . from the req.body
in order to fully remove these keys and associated data from
the object, or replace the suspicions characters with another
allowed ones.
5) least-privilege model: Today most advanced attacks pre-
dominantly exploit privileged credentials, in a way to access
the super-user and administrator privileges, by limiting the
user’s privileges in this way we reduce the ability of the user
to gain any unauthorized access to any activity that is not
restricted to it, the propagation of malware is halted by imple-
menting least privilege on endpoints. This prevents malware
attacks, such as NoSQL injection attacks, from leveraging
elevated privileges to gain broader access, move laterally, and
install or execute malware, or inflict damage to the machine.
6) Server-side validation: In server-side validation it’s a
second line of defense, also considered more reliable and
secure because it’s under the control of the server this form
of validation offers a higher level of security, it can block
harmful or incorrect data from infiltrating with database, Figure.1, it is taken from Burp Suite tool and what we see
moreover, server-side validation can tap into the database or is a normal request from the website we need to inject, in
other resources, and carry out more intricate or conditional this type of attack the attacker manipulates the id parameter.
validations. so that makes it more difficult and decreases the This tool allows the attacker to modify the request before it
ability to bypass or manipulate it, and because we consider reaches the server. The object is to inject a condition that
the user input cannot be trusted we add this type of defense always evaluates to TRUE(e.g.,using $ne). As a result, the
and validate the input after it is received from the browser, injected condition effectively instructs the server to update
by creating a new function that check the user input from all records where the id is not equal to -1 and set their
server-side. reviews to match the message written by the attacker. so this
could lead to unauthorized modification of multiple records
V. E FFECT S ECURITY MEASURES ON SW PERFORMANCE in the server database, as we can see on Figure.2, the server
In this section we need to keep in mind the performance accepted the injected condition from the attacker and
of the website after we add all these prevention methods to returned HTTP/1.1 200 OK, this is shown on Figure.3.
mitigate of multi-type of attacks may the company or the
server be exposed to, so the security measures in software
can impact the performance, let’s take an e.g:
1) encryption: :This way to protect the confidentiality of
the data but, it introduces computational overhead when it
comes to big amount of data.
2) authentication and authorization: :It will check the
user’s privileges and access but requires more processing, and
may slow down the response times of the system.
3) server and user validation and sanitization: :Is a very
effective way to prevent injection attacks as we did in this
paper but imposes extra computational burden to check the
Fig. 2. The injected condition.
input integrity.
4) resource limitations: :security measures might require
extra hardware capacity, which could conflict with the primary
functions of the software.
There is more but in general, the developer should balance
security and performance to optimize the software perfor-
mance in the same time maintain the security measures, it
is a big challenge for the developer but it is very important
for delivering a secure and efficient user experience

VI. R ESULTS
Our practical attack is manipulated all product reviews in
the website, so we decided to choose OWASP juice-shop for
penetration testing because it provides this type of vulnerabil-
ity ”Tautologies” named (NoSQL reviews manipulating), so Fig. 3. The injection is succeed.
now I will explain how we exploited this type of attack on the
website we mentioned
Here we have our prevention practical solution:

var userId = parseInt(req.body.id);

if (isNaN(userId) || userId == undefined){
return res.status(401).send() }

We added a function in the source code of the website in

the place where the server receives the ID from the user and
checks the received ID by using the “isNaN” function which
refers to not a number, so here the function checks if the ID
received from the user is not a number its return an error
401. What appears in Figure.4, The hacker tried to pass $ne
Fig. 1. Request from the website. operator but the user input was checked by the function we
added on the server-side.
 trieved from https://ieeexplore.ieee.org/
abstract/document/6650259 doi: 10.1109/
icoia.2013.6650259
Khedkar, B. (2024). Nosql injection. https://
medium.com/@BhaktiKhedkar/nosql
-injection-558337ea7d6c. (Accessed: 2024-
02-03)
Limitations of waf. (2024). https://sourcedefense
.com/glossary/limitations-of-waf/. (Ac-
cessed: 2024-02-05)
Mongo nosql injection attack and how to prevent them. (2023).
Fig. 4. Hacker injection failed after we added a function that sanitized the https://medium.com/@huseyin.isik000/
use input in server-side mongo-nosql-injection-attack-and-how
-to-prevent-them-with-nodejs-express
-code-examples-beebae1a3d98. (Accessed:
VII. C ONCLUSION 2024-02-04)
The paper shows many attack methods should the attacker Nilakshi, N. (2024). Express mongo sanitize.
implement on the NoSQL Databases and how can you as a https://javascript.plainenglish.io/
developer protect your system from these attacks by discussing how-to-sanitize-your-express-app
many prevention methods, and by testing the server-side vali- -against-mongodb-injection-cross-site
dation we saw how the best prevention method was the server- -scripting-6a22f4e822aa. (Accessed: 2024-
side validation and how it’s efficient in preventing the NoSQL 02-03)
injection, but it’s not enough to provide fully protect for the Nosql injection. (2024). https://portswigger.net/
database, to ensure a high level of security we mentioned the web-security/nosql-injection. (Accessed:
important to providing more prevention methods and mix them 2024-02-03)
like a least-privilege model, Use Express Mongo Sanitize, Web Nosql injection cheatsheet. (2024). https://nullsweep
application firewall. Finally, the paper discussed how the web .com/nosql-injection-cheatsheet/. (Ac-
application connect be fully secure against NoSQL injection cessed: 2024-02-04)
but using these prevention methods in your application is way Parameterized query in mongodb. (2024). https://
better than leaving it open for intruders www.linkedin.com/pulse/parameterized
-query-mongodb-cyclobold-tech. (Accessed:
R EFERENCES 2024-02-03)
Acharya, D. P. (2023). Mongodb vs mysql. https:// Principle of least privilege. (2020). https://
kinsta.com/blog/mongodb-vs-mysql/. (Ac- www.cyberark.com/what-is/least
cessed: 2024-02-04) -privilege/. (Accessed: 2024-02-04)
Alazmi. (2023). Customizing owasp zap: A proven method Web security testing with burp suite. (2024).
for detecting sql injection vulnerabilities. IEEE. Re- https://www.pluralsight.com/paths/
trieved from https://ieeexplore.ieee.org/ web-security-testing-with-burp-suite.
abstract/document/10132146 doi: 10.1109/ (Accessed: 2024-02-05)
bigdatasecurity-hpsc-ids58521.2023.00028 What is a waf? (2024). https://www.cloudflare
Aliero. (2015). A component based sql injec- .com/learning/ddos/glossary/web
tion vulnerability detection tool. IEEE. Re- -application-firewall-waf/. (Accessed:
trieved from https://ieeexplore.ieee.org/ 2024-02-03)
abstract/document/7475225 doi: 10.1109/ (Analysis and Mitigation of NoSQL Injections, 2024) (What
mysec.2015.7475225 is a WAF?, 2024) (Client-side vs Server-side Validation,
Analysis and mitigation of nosql injections. (2024). 2024) (PARAMETERIZED QUERY IN MONGODB, 2024)
https://www.infoq.com/articles/ (Nilakshi, 2024) (Khedkar, 2024) (NoSQL injection, 2024)
nosql-injections-analysis/. (Accessed: (Alazmi, 2023) (Aliero, 2015) (Djuric, 2013) (Principle of
2024-02-03) Least Privilege, 2020) (Mongo NoSQL injection attack and
Client-side vs server-side validation. (2024). how to prevent them, 2023) (NoSql Injection Cheatsheet, 2024)
https://www.linkedin.com/advice/1/ (Acharya, 2023) (disadvantage of parameterized query, n.d.)
what-advantages-disadvantages-client (Limitations of WAF, 2024) (Web Security Testing with Burp
-side-server-side. (Accessed: 2024-02-03) Suite, 2024)
disadvantage of parameterized query. (n.d.).
Djuric, Z. (2013). A black-box testing tool for de-
tecting sql injection vulnerabilities. IEEE. Re-

View publication stats